Key Management Roles Key Manager Responsible for initial key establishment on connection startup, create/delete TSAD entry TCP-AO choice could be application request or policy control Responsible for re-keying and TSAD update On external signal, policy, and/or communication from TSAD TSAD (TCP Security Association Database) Holds/archives key tuples for each direction of connection TCP Communicates with Key Manager on connection state change (at least on open and transition to Closed) Communicates with TSAD to retrieve key tuples on segment transmission and receipt Performs validation with keys retrieved |